diff --git a/policy-F12.patch b/policy-F12.patch
index 3e74fc4..77e3cd2 100644
--- a/policy-F12.patch
+++ b/policy-F12.patch
@@ -812,7 +812,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/usr/bin/online_update -- gen_context(system_u:object_r:rpm_exec_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/rpm.if serefpolicy-3.6.32/policy/modules/admin/rpm.if
--- nsaserefpolicy/policy/modules/admin/rpm.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-18 16:19:22.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/admin/rpm.if 2009-11-24 07:36:02.000000000 -0500
@@ -13,11 +13,34 @@
interface(`rpm_domtrans',`
gen_require(`
@@ -860,7 +860,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
-@@ -146,6 +174,41 @@
+@@ -146,6 +174,42 @@
########################################
##
@@ -895,6 +895,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
+ dontaudit $1 rpm_tmpfs_t:file write_file_perms;
+ dontaudit $1 rpm_script_tmp_t:file write_file_perms;
++ dontaudit $1 rpm_var_lib_t:file { read write };
+')
+
+########################################
@@ -902,7 +903,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Send and receive messages from
## rpm over dbus.
##
-@@ -167,6 +230,68 @@
+@@ -167,6 +231,68 @@
########################################
##
@@ -971,7 +972,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Create, read, write, and delete the RPM log.
##
##
-@@ -186,6 +311,24 @@
+@@ -186,6 +312,24 @@
########################################
##
@@ -996,7 +997,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Inherit and use file descriptors from RPM scripts.
##
##
-@@ -219,7 +362,51 @@
+@@ -219,7 +363,51 @@
')
files_search_tmp($1)
@@ -1048,7 +1049,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -241,6 +428,25 @@
+@@ -241,6 +429,25 @@
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
@@ -1074,7 +1075,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -265,6 +471,48 @@
+@@ -265,6 +472,48 @@
########################################
##
@@ -1123,7 +1124,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
##
-@@ -283,3 +531,99 @@
+@@ -283,3 +532,99 @@
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
@@ -1661,7 +1662,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+permissive smoltclient_t;
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/admin/sudo.if serefpolicy-3.6.32/policy/modules/admin/sudo.if
--- nsaserefpolicy/policy/modules/admin/sudo.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/admin/sudo.if 2009-09-30 16:12:48.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/admin/sudo.if 2009-11-24 14:46:21.000000000 -0500
@@ -66,8 +66,8 @@
allow $1_sudo_t self:unix_stream_socket create_stream_socket_perms;
allow $1_sudo_t self:unix_dgram_socket sendto;
@@ -3526,7 +3527,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
##
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/mozilla.te serefpolicy-3.6.32/policy/modules/apps/mozilla.te
--- nsaserefpolicy/policy/modules/apps/mozilla.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-11-20 08:13:03.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/mozilla.te 2009-11-24 16:47:43.000000000 -0500
@@ -59,6 +59,7 @@
manage_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
manage_lnk_files_pattern(mozilla_t, mozilla_home_t, mozilla_home_t)
@@ -4370,8 +4371,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+application_domain(openoffice_t, openoffice_exec_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/podsleuth.te serefpolicy-3.6.32/policy/modules/apps/podsleuth.te
--- nsaserefpolicy/policy/modules/apps/podsleuth.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2009-11-04 08:12:01.000000000 -0500
-@@ -71,6 +71,8 @@
++++ serefpolicy-3.6.32/policy/modules/apps/podsleuth.te 2009-11-24 18:08:03.000000000 -0500
+@@ -66,11 +66,14 @@
+ fs_search_dos(podsleuth_t)
+ fs_getattr_tmpfs(podsleuth_t)
+ fs_list_tmpfs(podsleuth_t)
++fs_rw_removable_blk_files(podsleuth_t)
+
+ miscfiles_read_localization(podsleuth_t)
sysnet_dns_name_resolve(podsleuth_t)
@@ -4380,6 +4387,38 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
optional_policy(`
dbus_system_bus_client(podsleuth_t)
+diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/ptchown.if serefpolicy-3.6.32/policy/modules/apps/ptchown.if
+--- nsaserefpolicy/policy/modules/apps/ptchown.if 2009-09-16 10:01:19.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/apps/ptchown.if 2009-11-24 14:55:43.000000000 -0500
+@@ -18,3 +18,28 @@
+ domtrans_pattern($1, ptchown_exec_t, ptchown_t)
+ ')
+
++########################################
++##
++## Execute ptchown in the ptchown domain, and
++## allow the specified role the ptchown domain.
++##
++##
++##
++## Domain allowed access.
++##
++##
++##
++##
++## The role to be allowed the ptchown domain.
++##
++##
++#
++interface(`ptchown_run',`
++ gen_require(`
++ type ptchown_t;
++ ')
++
++ ptchown_domtrans($1)
++ role $2 types ptchown_t;
++')
++
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/pulseaudio.if serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if
--- nsaserefpolicy/policy/modules/apps/pulseaudio.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/apps/pulseaudio.if 2009-10-05 08:28:56.000000000 -0400
@@ -4852,7 +4891,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# No types are sandbox_exec_t
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/apps/sandbox.if serefpolicy-3.6.32/policy/modules/apps/sandbox.if
--- nsaserefpolicy/policy/modules/apps/sandbox.if 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-11-21 19:21:01.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/apps/sandbox.if 2009-11-24 14:52:59.000000000 -0500
@@ -0,0 +1,188 @@
+
+## policy for sandbox
@@ -6188,7 +6227,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
#network_node(multicast, s0 - mls_systemhigh, ff00::, ff00::)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/devices.fc serefpolicy-3.6.32/policy/modules/kernel/devices.fc
--- nsaserefpolicy/policy/modules/kernel/devices.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-10-19 09:11:30.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/kernel/devices.fc 2009-11-24 11:28:10.000000000 -0500
@@ -47,8 +47,10 @@
/dev/kmem -c gen_context(system_u:object_r:memory_device_t,mls_systemhigh)
/dev/kmsg -c gen_context(system_u:object_r:kmsg_device_t,mls_systemhigh)
@@ -6217,9 +6256,12 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
-@@ -139,8 +142,11 @@
+@@ -138,9 +141,14 @@
+ /dev/input/uinput -c gen_context(system_u:object_r:event_device_t,s0)
/dev/mapper/control -c gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/btrfs-control -c gen_context(system_u:object_r:lvm_control_t,s0)
++/dev/etherd/.+ -c gen_context(system_u:object_r:lvm_control_t,s0)
+/dev/modem -c gen_context(system_u:object_r:modem_device_t,s0)
/dev/mvideo/.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
@@ -6229,7 +6271,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/pts(/.*)? <>
/dev/s(ou)?nd/.* -c gen_context(system_u:object_r:sound_device_t,s0)
-@@ -148,6 +154,8 @@
+@@ -148,6 +156,8 @@
/dev/touchscreen/ucb1x00 -c gen_context(system_u:object_r:mouse_device_t,s0)
/dev/touchscreen/mk712 -c gen_context(system_u:object_r:mouse_device_t,s0)
@@ -6238,7 +6280,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/dev/usb/dc2xx.* -c gen_context(system_u:object_r:scanner_device_t,s0)
/dev/usb/lp.* -c gen_context(system_u:object_r:printer_device_t,s0)
/dev/usb/mdc800.* -c gen_context(system_u:object_r:scanner_device_t,s0)
-@@ -168,6 +176,7 @@
+@@ -168,6 +178,7 @@
ifdef(`distro_redhat',`
# originally from named.fc
@@ -6604,7 +6646,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/domain.if serefpolicy-3.6.32/policy/modules/kernel/domain.if
--- nsaserefpolicy/policy/modules/kernel/domain.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-11-23 17:51:00.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/domain.if 2009-11-23 17:52:24.000000000 -0500
@@ -44,34 +44,6 @@
interface(`domain_type',`
# start with basic domain
@@ -6640,7 +6682,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
########################################
-@@ -791,6 +763,24 @@
+@@ -791,6 +762,24 @@
########################################
##
@@ -6665,7 +6707,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to get the
## session ID of all domains.
##
-@@ -1039,6 +1029,54 @@
+@@ -1039,6 +1028,54 @@
########################################
##
@@ -6720,7 +6762,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Do not audit attempts to get the attributes
## of all domains unnamed pipes.
##
-@@ -1248,18 +1286,34 @@
+@@ -1248,18 +1285,34 @@
##
##
#
@@ -6758,7 +6800,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Allow specified type to receive labeled
## networking packets from all domains, over
## all protocols (TCP, UDP, etc)
-@@ -1280,6 +1334,24 @@
+@@ -1280,6 +1333,24 @@
########################################
##
@@ -6783,7 +6825,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## Unconfined access to domains.
##
##
-@@ -1304,3 +1376,20 @@
+@@ -1304,3 +1375,20 @@
typeattribute $1 process_uncond_exempt;
')
@@ -6971,7 +7013,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
/var/lib/nfs/rpc_pipefs(/.*)? <>
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/files.if serefpolicy-3.6.32/policy/modules/kernel/files.if
--- nsaserefpolicy/policy/modules/kernel/files.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-23 11:26:09.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/files.if 2009-11-24 10:10:59.000000000 -0500
@@ -110,6 +110,11 @@
##
#
@@ -7517,7 +7559,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/filesystem.if serefpolicy-3.6.32/policy/modules/kernel/filesystem.if
--- nsaserefpolicy/policy/modules/kernel/filesystem.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-18 07:49:22.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/kernel/filesystem.if 2009-11-24 18:07:53.000000000 -0500
@@ -290,7 +290,7 @@
########################################
@@ -8180,8 +8222,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/kernel/storage.fc serefpolicy-3.6.32/policy/modules/kernel/storage.fc
--- nsaserefpolicy/policy/modules/kernel/storage.fc 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/kernel/storage.fc 2009-09-30 16:12:48.000000000 -0400
-@@ -28,6 +28,7 @@
++++ serefpolicy-3.6.32/policy/modules/kernel/storage.fc 2009-11-24 11:27:53.000000000 -0500
+@@ -14,6 +14,7 @@
+ /dev/dasd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/dm-[0-9]+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/drbd[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
++/dev/etherd/.+ -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/fd[^/]+ -b gen_context(system_u:object_r:removable_device_t,s0)
+ /dev/flash[^/]* -b gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
+ /dev/gscd -b gen_context(system_u:object_r:removable_device_t,s0)
+@@ -28,6 +29,7 @@
/dev/megadev.* -c gen_context(system_u:object_r:removable_device_t,s0)
/dev/mmcblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
/dev/mspblk.* -b gen_context(system_u:object_r:removable_device_t,s0)
@@ -9520,8 +9570,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/unconfineduser.te serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te
--- nsaserefpolicy/policy/modules/roles/unconfineduser.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-20 08:01:26.000000000 -0500
-@@ -0,0 +1,427 @@
++++ serefpolicy-3.6.32/policy/modules/roles/unconfineduser.te 2009-11-24 14:57:35.000000000 -0500
+@@ -0,0 +1,431 @@
+policy_module(unconfineduser, 1.0.0)
+
+########################################
@@ -9856,6 +9906,10 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+')
+
+optional_policy(`
++ virt_transition_svirt(unconfined_t, unconfined_r)
++')
++
++optional_policy(`
+ vpn_run(unconfined_t, unconfined_r)
+')
+
@@ -10102,8 +10156,8 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
')
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/roles/xguest.te serefpolicy-3.6.32/policy/modules/roles/xguest.te
--- nsaserefpolicy/policy/modules/roles/xguest.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-11-20 08:11:54.000000000 -0500
-@@ -31,16 +31,37 @@
++++ serefpolicy-3.6.32/policy/modules/roles/xguest.te 2009-11-24 18:09:07.000000000 -0500
+@@ -31,16 +31,38 @@
userdom_restricted_xwindows_user_template(xguest)
@@ -10129,6 +10183,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# Dontaudit fusermount
+dontaudit xguest_t self:capability sys_admin;
++allow xguest_t self:process execmem;
+
# Allow mounting of file systems
optional_policy(`
@@ -10141,42 +10196,78 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_dontaudit_getattr_boot_dirs(xguest_t)
files_search_mnt(xguest_t)
-@@ -49,6 +70,7 @@
+@@ -49,10 +71,9 @@
fs_manage_noxattr_fs_dirs(xguest_t)
fs_getattr_noxattr_fs(xguest_t)
fs_read_noxattr_fs_symlinks(xguest_t)
+ fs_mount_fusefs(xguest_t)
auth_list_pam_console_data(xguest_t)
+-
+- init_read_utmp(xguest_t)
+ ')
+ ')
-@@ -67,7 +89,11 @@
+@@ -67,17 +88,60 @@
')
optional_policy(`
- java_role(xguest_r, xguest_t)
+ java_role_template(xguest, xguest_r, xguest_t)
-+')
-+
-+optional_policy(`
-+ mono_role_template(xguest, xguest_r, xguest_t)
')
optional_policy(`
-@@ -75,9 +101,17 @@
- ')
-
- optional_policy(`
-+ nsplugin_role(xguest_r, xguest_t)
+- mozilla_role(xguest_r, xguest_t)
++ mono_role_template(xguest, xguest_r, xguest_t)
+')
+
+optional_policy(`
++ nsplugin_role(xguest_r, xguest_t)
+ ')
+
+ optional_policy(`
tunable_policy(`xguest_connect_network',`
networkmanager_dbus_chat(xguest_t)
+ networkmanager_read_var_lib_files(xguest_t)
-+ corenet_tcp_connect_pulseaudio_port(xguest_t)
-+ corenet_tcp_connect_ipp_port(xguest_t)
-+ corenet_tcp_connect_http_port(xguest_t)
++ corenet_tcp_connect_pulseaudio_port(xguest_usertype)
++ corenet_all_recvfrom_unlabeled(xguest_usertype)
++ corenet_all_recvfrom_netlabel(xguest_usertype)
++ corenet_tcp_sendrecv_generic_if(xguest_usertype)
++ corenet_raw_sendrecv_generic_if(xguest_usertype)
++ corenet_tcp_sendrecv_generic_node(xguest_usertype)
++ corenet_raw_sendrecv_generic_node(xguest_usertype)
++ corenet_tcp_sendrecv_http_port(xguest_usertype)
++ corenet_tcp_sendrecv_http_cache_port(xguest_usertype)
++ corenet_tcp_sendrecv_ftp_port(xguest_usertype)
++ corenet_tcp_sendrecv_ipp_port(xguest_usertype)
++ corenet_tcp_connect_http_port(xguest_usertype)
++ corenet_tcp_connect_http_cache_port(xguest_usertype)
++ corenet_tcp_connect_flash_port(xguest_usertype)
++ corenet_tcp_connect_ftp_port(xguest_usertype)
++ corenet_tcp_connect_ipp_port(xguest_usertype)
++ corenet_tcp_connect_generic_port(xguest_usertype)
++ corenet_tcp_connect_soundd_port(xguest_usertype)
++ corenet_sendrecv_http_client_packets(xguest_usertype)
++ corenet_sendrecv_http_cache_client_packets(xguest_usertype)
++ corenet_sendrecv_ftp_client_packets(xguest_usertype)
++ corenet_sendrecv_ipp_client_packets(xguest_usertype)
++ corenet_sendrecv_generic_client_packets(xguest_usertype)
++ # Should not need other ports
++ corenet_dontaudit_tcp_sendrecv_generic_port(xguest_usertype)
++ corenet_dontaudit_tcp_bind_generic_port(xguest_usertype)
++ corenet_tcp_connect_speech_port(xguest_usertype)
++ corenet_tcp_sendrecv_transproxy_port(xguest_usertype)
++ corenet_tcp_connect_transproxy_port(xguest_usertype)
++ ')
')
++
++optional_policy(`
++ gen_require(`
++ type mozilla_t;
++ ')
++
++ allow xguest_t mozilla_t:process transition;
++ role xguest_r types mozilla_t;
')
-#gen_user(xguest_u,, xguest_r, s0, s0)
@@ -10329,7 +10420,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
## All of the rules required to administrate
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/abrt.te serefpolicy-3.6.32/policy/modules/services/abrt.te
--- nsaserefpolicy/policy/modules/services/abrt.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-23 16:38:25.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/abrt.te 2009-11-24 10:11:37.000000000 -0500
@@ -33,12 +33,23 @@
type abrt_var_run_t;
files_pid_file(abrt_var_run_t)
@@ -10376,7 +10467,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_pid_filetrans(abrt_t, abrt_var_run_t, { file dir })
kernel_read_ring_buffer(abrt_t)
-@@ -75,10 +89,17 @@
+@@ -75,18 +89,29 @@
corecmd_exec_bin(abrt_t)
corecmd_exec_shell(abrt_t)
@@ -10394,7 +10485,11 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
files_getattr_all_files(abrt_t)
files_read_etc_files(abrt_t)
-@@ -87,6 +108,7 @@
+ files_read_usr_files(abrt_t)
+
++files_dontaudit_list_default(abrt_t)
++files_dontaudit_read_default_files(abrt_t)
++
fs_list_inotifyfs(abrt_t)
fs_getattr_all_fs(abrt_t)
fs_getattr_all_dirs(abrt_t)
@@ -10402,7 +10497,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
sysnet_read_config(abrt_t)
-@@ -96,22 +118,64 @@
+@@ -96,22 +121,64 @@
miscfiles_read_certs(abrt_t)
miscfiles_read_localization(abrt_t)
@@ -10418,15 +10513,15 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+optional_policy(`
+ nis_use_ypbind(abrt_t)
+')
-+
-+optional_policy(`
-+ nsplugin_read_rw_files(abrt_t)
-+ nsplugin_read_home(abrt_t)
-+')
optional_policy(`
- dbus_connect_system_bus(abrt_t)
- dbus_system_bus_client(abrt_t)
++ nsplugin_read_rw_files(abrt_t)
++ nsplugin_read_home(abrt_t)
++')
++
++optional_policy(`
+ policykit_dbus_chat(abrt_t)
+ policykit_domtrans_auth(abrt_t)
+ policykit_read_lib(abrt_t)
@@ -12321,7 +12416,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
xserver_domtrans(apmd_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/arpwatch.te serefpolicy-3.6.32/policy/modules/services/arpwatch.te
--- nsaserefpolicy/policy/modules/services/arpwatch.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2009-11-19 09:58:31.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/arpwatch.te 2009-11-23 18:38:59.000000000 -0500
@@ -34,6 +34,7 @@
allow arpwatch_t self:tcp_socket { connect create_stream_socket_perms };
allow arpwatch_t self:udp_socket create_socket_perms;
@@ -12330,6 +12425,14 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
manage_dirs_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
manage_files_pattern(arpwatch_t, arpwatch_data_t, arpwatch_data_t)
+@@ -46,6 +47,7 @@
+ manage_files_pattern(arpwatch_t, arpwatch_var_run_t, arpwatch_var_run_t)
+ files_pid_filetrans(arpwatch_t, arpwatch_var_run_t, file)
+
++kernel_read_network_state(arpwatch_t)
+ kernel_read_kernel_sysctls(arpwatch_t)
+ kernel_list_proc(arpwatch_t)
+ kernel_read_proc_symlinks(arpwatch_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/asterisk.if serefpolicy-3.6.32/policy/modules/services/asterisk.if
--- nsaserefpolicy/policy/modules/services/asterisk.if 2009-09-16 10:01:19.000000000 -0400
+++ serefpolicy-3.6.32/policy/modules/services/asterisk.if 2009-11-09 12:03:06.000000000 -0500
@@ -16090,17 +16193,18 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
logging_send_syslog_msg($1_milter_t)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/modemmanager.te serefpolicy-3.6.32/policy/modules/services/modemmanager.te
--- nsaserefpolicy/policy/modules/services/modemmanager.te 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-10-22 10:43:01.000000000 -0400
-@@ -16,7 +16,7 @@
++++ serefpolicy-3.6.32/policy/modules/services/modemmanager.te 2009-11-24 07:19:34.000000000 -0500
+@@ -16,7 +16,8 @@
#
# ModemManager local policy
#
-
++allow modemmanager_t self:capability sys_admin;
+allow modemmanager_t self:process signal;
allow modemmanager_t self:fifo_file rw_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
-@@ -24,6 +24,7 @@
+@@ -24,6 +25,7 @@
kernel_read_system_state(modemmanager_t)
dev_read_sysfs(modemmanager_t)
@@ -17568,7 +17672,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/nut.te serefpolicy-3.6.32/policy/modules/services/nut.te
--- nsaserefpolicy/policy/modules/services/nut.te 1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-11-13 15:34:47.000000000 -0500
++++ serefpolicy-3.6.32/policy/modules/services/nut.te 2009-11-24 15:02:36.000000000 -0500
@@ -0,0 +1,138 @@
+
+policy_module(nut,1.0.0)
@@ -17608,7 +17712,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+# upsd local policy
+#
+
-+allow upsd_t self:capability { setuid setgid };
++allow upsd_t self:capability { dac_override setuid setgid };
+
+allow upsd_t self:unix_dgram_socket { create_socket_perms sendto };
+allow upsd_t self:tcp_socket create_stream_socket_perms;
@@ -23985,7 +24089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+/var/run/libvirt/qemu(/.*)? gen_context(system_u:object_r:svirt_var_run_t,s0)
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/virt.if serefpolicy-3.6.32/policy/modules/services/virt.if
--- nsaserefpolicy/policy/modules/services/virt.if 2009-09-16 10:01:19.000000000 -0400
-+++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-10-28 12:01:39.000000000 -0400
++++ serefpolicy-3.6.32/policy/modules/services/virt.if 2009-11-24 14:56:29.000000000 -0500
@@ -136,7 +136,7 @@
')
@@ -24026,19 +24130,19 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
tunable_policy(`virt_use_nfs',`
fs_manage_nfs_dirs($1)
-@@ -304,8 +306,79 @@
+@@ -304,7 +306,7 @@
')
tunable_policy(`virt_use_samba',`
- fs_manage_nfs_files($1)
- fs_manage_cifs_files($1)
+ fs_manage_cifs_files($1)
-+ fs_read_cifs_symlinks($1)
-+ ')
-+')
-+
-+########################################
-+##
+ fs_manage_cifs_files($1)
+ fs_read_cifs_symlinks($1)
+ ')
+@@ -312,6 +314,77 @@
+
+ ########################################
+ ##
+## Allow domain to read virt image files
+##
+##
@@ -24104,10 +24208,16 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+ tunable_policy(`virt_use_samba',`
+ fs_list_cifs($1)
+ fs_read_cifs_files($1)
- fs_read_cifs_symlinks($1)
- ')
- ')
-@@ -346,3 +419,95 @@
++ fs_read_cifs_symlinks($1)
++ ')
++')
++
++########################################
++##
+ ## All of the rules required to administrate
+ ## an virt environment
+ ##
+@@ -346,3 +419,124 @@
virt_manage_log($1)
')
@@ -24184,6 +24294,35 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
+
+########################################
+##
++## Execute qemu in the svirt domain, and
++## allow the specified role the svirt domain.
++##
++##
++##
++## Domain allowed access
++##
++##
++##
++##
++## The role to be allowed the sandbox domain.
++##
++##
++#
++interface(`virt_transition_svirt',`
++ gen_require(`
++ type svirt_t;
++ ')
++
++ allow $1 svirt_t:process transition;
++ role $2 types svirt_t;
++
++ optional_policy(`
++ ptchown_run(svirt_t, $2)
++ ')
++')
++
++########################################
++##
+## Create, read, write, and delete
+## svirt cache files.
+##